running as non-root doesn't get kernel log
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I made sure that events were being generated. Running as root strace shows the kernel destination being opened, and the events are recorded in the file. Any ideas?
Have you tried adding the syslog-ng user to a group and granting permissions on /dev/log or whatever you have to that group such chown root:logger /dev/log ls -l /dev/log srw-rw-rw- 1 root logger 0 Jan 27 03:10 /dev/log= Then restart syslog-ng and it should be able to read from the socket. -h Hari Sekhon Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I made sure that events were being generated. Running as root strace shows the kernel destination being opened, and the events are recorded in the file.
Any ideas? _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hari Sekhon (hpsekhon@googlemail.com) wrote on 29 January 2007 12:13:
Have you tried adding the syslog-ng user to a group and granting permissions on /dev/log or whatever you have to that group such
chown root:logger /dev/log
ls -l /dev/log srw-rw-rw- 1 root logger 0 Jan 27 03:10 /dev/log=
Then restart syslog-ng and it should be able to read from the socket.
That shouldn't be necessary because it opens /dev/log before dropping root privileges. Also, messages to auth log are recorded, even though to kernel log are not.
Hi All! On Mon, 2007-01-29 at 09:37 -0200, Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I
The question is that syslog-ng try to open kernel _source_ file or not? (The kernel source file is /proc/kmsg) If syslog-ng doesn't have the right to open (or read when SELinux is installed) this socket than it cannot read the log messages.
SZALAY Attila (sasa@pheniscidae.tvnetwork.hu) wrote on 29 January 2007 15:37:
On Mon, 2007-01-29 at 09:37 -0200, Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I
The question is that syslog-ng try to open kernel _source_ file or not? (The kernel source file is /proc/kmsg) If syslog-ng doesn't have the right to open (or read when SELinux is installed) this socket than it cannot read the log messages.
It does open /proc/kmsg: open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 5 It doesn't open /var/log/kernel/log (the file configured as destination).
then the question is does it fail to open the /var/log/kernel/log file before or after dropping root privs and can you solve this by granting the "logger" group the privs on the files? -h Hari Sekhon Carlos Carvalho wrote:
SZALAY Attila (sasa@pheniscidae.tvnetwork.hu) wrote on 29 January 2007 15:37:
On Mon, 2007-01-29 at 09:37 -0200, Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I
The question is that syslog-ng try to open kernel _source_ file or not? (The kernel source file is /proc/kmsg) If syslog-ng doesn't have the right to open (or read when SELinux is installed) this socket than it cannot read the log messages.
It does open /proc/kmsg:
open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 5
It doesn't open /var/log/kernel/log (the file configured as destination). _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hari Sekhon (hpsekhon@googlemail.com) wrote on 29 January 2007 15:23:
then the question is does it fail to open the /var/log/kernel/log file before or after dropping root privs
It doesn't fail to open in the sense that it tries and doesn't get it, otherwise I'd see the open call in strace and the permission denied return. It seems it simply doesn't do the open.
and can you solve this by granting the "logger" group the privs on the files?
That's how it is. All destinations belong to the user syslog-ng switches to.
On Mon, 2007-01-29 at 12:51 -0200, Carlos Carvalho wrote:
SZALAY Attila (sasa@pheniscidae.tvnetwork.hu) wrote on 29 January 2007 15:37:
On Mon, 2007-01-29 at 09:37 -0200, Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I
The question is that syslog-ng try to open kernel _source_ file or not? (The kernel source file is /proc/kmsg) If syslog-ng doesn't have the right to open (or read when SELinux is installed) this socket than it cannot read the log messages.
It does open /proc/kmsg:
open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 5
It doesn't open /var/log/kernel/log (the file configured as destination).
Can you see any activity on fd 5 after being successfully opened? -- Bazsi
Balazs Scheidler (bazsi@balabit.hu) wrote on 29 January 2007 17:53:
On Mon, 2007-01-29 at 12:51 -0200, Carlos Carvalho wrote:
SZALAY Attila (sasa@pheniscidae.tvnetwork.hu) wrote on 29 January 2007 15:37:
On Mon, 2007-01-29 at 09:37 -0200, Carlos Carvalho wrote:
I'm trying to run syslog-ng 2.0.0 as a user that's not root via the -u option. The problem is that it doesn't get the kernel log. Tracking with strace shows that it doesn't open the kernel destination file. I
The question is that syslog-ng try to open kernel _source_ file or not? (The kernel source file is /proc/kmsg) If syslog-ng doesn't have the right to open (or read when SELinux is installed) this socket than it cannot read the log messages.
It does open /proc/kmsg:
open("/proc/kmsg", O_RDONLY|O_NONBLOCK|O_NOCTTY|O_LARGEFILE) = 5
It doesn't open /var/log/kernel/log (the file configured as destination).
Can you see any activity on fd 5 after being successfully opened?
I'm not sure what you mean. As I said before, I'm sure events that produce log entries are generated. Doing a cat /proc/kmsg also shows them.
participants (4)
-
Balazs Scheidler
-
carlos@fisica.ufpr.br
-
Hari Sekhon
-
SZALAY Attila